Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com)

Posted by BeauHD on Saturday May 12, 2018 @07:19AM from the take-a-hike dept.

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.

72 comments

Min score:

Reason:

Sort:

They have an Android tablet attached to the bikes! by innocent_white_lamb · 2018-05-12 07:31 · Score: 1

This outfit has an Android tablet physically attached to each bicycle.
I wonder how long one of those is expected to last outside in the wind, rain and diesel exhaust.

--
If you're a zombie and you know it, bite your friend!
Non-functional bikes? by DontBeAMoran · 2018-05-12 07:31 · Score: 1

The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.
I'm sorry if I don't know anything about Bycyklen, but how are the bikes "non-functional"? A bike is a bike, isn't it?

--
#DeleteFacebook
1. Re:Non-functional bikes? by Zocalo · 2018-05-12 07:49 · Score: 2
  
  There's generally some kind of lock that you need to remove in order to use the bike, not sure about Bycyklen specifically, but usually it's via some sort of bar through the spokes or pedals, or a clamp that achieves the same effect. Alternatively, bikes must be obtained from and returned to specific racks which lock them in place. Either way, unlocking a bike starts your registers your account for usage of a bike, and locking it again ends it. Since Byclyken uses GPS (and lost the GPS data when the DB was wiped, hence the treasure hunt) I'd assume they have the lock on the bike itself.
  
  --
  UNIX? They're not even circumcised! Savages!
2. Re:Non-functional bikes? by thegarbz · 2018-05-12 21:56 · Score: 1
  
  But is a bike still a bike if it can't be ridden? I don't know about the specifics here but these schemes typically involve either a docking station that won't release the bike or rear-wheel bike look that won't release the bike.
  E.g. O-Bike uses some variant of these: https://allsharktankproducts.c...
Robert'); Drop Table Bicycles;-- by fahrbot-bot · 2018-05-12 07:40 · Score: 5, Funny

Bycyklen described the hack as "rather primitive," ...
Obligatory: xkcd

--
It must have been something you assimilated. . . .
1. Re:Robert'); Drop Table Bicycles;-- by DontBeAMoran · 2018-05-12 08:50 · Score: 2
  
  Bobby Bicycles? Hey, I know that guy!
  
  --
  #DeleteFacebook
2. Re:Robert'); Drop Table Bicycles;-- by fahrbot-bot · 2018-05-12 10:26 · Score: 1
  
  Bobby Bicycles? Hey, I know that guy!
  Ha. I thought to use that as my Subject, just after hitting Submit. Damn slow brain, fast fingers.
  
  --
  It must have been something you assimilated. . . .
Usual internet of things screwup? by DejaBu · 2018-05-12 07:43 · Score: 1

Perhaps, having a distributed system each with simple passwords/credentials are to blame? e.g. 'password=raspberrypi' You have to assume full on hacking will happen immediately, starting with port scans, followed by full dictionary attacks on standard usernames.
1. Re:Usual internet of things screwup? by apoc.famine · 2018-05-12 08:44 · Score: 2
  
  Or, you know, backup your database and practice your restores on a regular basis....
  
  --
  Velociraptor = Distiraptor / Timeraptor
2. Re:Usual internet of things screwup? by Anonymous Coward · 2018-05-12 10:47 · Score: 0
  
  Webscale solutions don't need old-fashioned things like security or backup. Come on...get with the program.
3. Re:Usual internet of things screwup? by q_e_t · 2018-05-13 06:14 · Score: 1
  
  Maybe it is backed up, but restoring it until you are sure there is no ongoing compromise seems unwise
What's the motivation? Anonymity? by shanen · 2018-05-12 07:43 · Score: 2, Insightful

Mindless vandalism? I'm trying to imagine what could motivate such a crime. What sort of grievance could justify attacking a system that lets people borrow bikes?
Just wants to annoy other people? Maybe he sells cars and he felt the bikes were hurting sales? Maybe he's just a mercenary working for the car salesman? Or maybe the prick did it simply because he could.
There are legitimate uses for anonymity. This is NOT one of them.

--
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
1. Re:What's the motivation? Anonymity? by PolygamousRanchKid+ · 2018-05-12 08:00 · Score: 1
  
  What sort of grievance could justify attacking a system that lets people borrow bikes?
  Maybe he sells cars and he felt the bikes were hurting sales?
  
  Oh, those questions answers it all easily:
  Über did it.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
2. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 08:17 · Score: 0
  
  Maybe it was someone fired for telling them "guys, we really need to have a backup system in place, otherwise we'll end up running around city re-registering the bikes on the first db crash".
3. Re: What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 08:24 · Score: 0
  
  Because it's funny.
4. Re:What's the motivation? Anonymity? by DontBeAMoran · 2018-05-12 08:52 · Score: 1
  
  "To summarize the summary of the summary: people are a problem." — Douglas Adams
  
  --
  #DeleteFacebook
5. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 09:35 · Score: 0
  
  It's still an asshole move.
6. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 09:44 · Score: 0
  
  Is this a serious question or are you retarded?
7. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 10:11 · Score: 1
  
  I'm trying to imagine what could motivate such a crime.
  Some people just want to watch the world burn.
8. Re:What's the motivation? Anonymity? by hey! · 2018-05-12 11:07 · Score: 1
  
  The right framework to understand this isn't psychology, it's statistics. The probability of an event occurring as the number of trials approaches infinity is either 0, or 1.
  That's the way to understand a lot of what happens in the world, like school shootings. If they can happen, given enough people who are capable of doing them, someone will.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
9. Re:What's the motivation? Anonymity? by shanen · 2018-05-12 12:18 · Score: 1
  
  I'm afraid I don't understand what sort of point you are trying to make. Perhaps something like bad things happen, so we should give up?
  Do you have any sort of constructive solution to offer? (I do, but I've already presented it out on Slashdot and never detected any interest.)
  
  --
  Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
10. Re:What's the motivation? Anonymity? by hey! · 2018-05-12 12:59 · Score: 1
  
  No, it's that trying to understand all the possible motivations people might have to do something like this is pointless.
  Early in the days of the Internet I would have clients challenge the need for security. "Why would anyone want to hack me?"
  And I'd answer, "The people you have to worry about don't think like you. Their motivations wouldn't make any sense to you, even if you knew them, which you probably won't."
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
11. Re:What's the motivation? Anonymity? by shanen · 2018-05-12 14:26 · Score: 1
  
  Simple counterexample will suffice to prove motivations count.
  Where is all of your pump-and-dump stock scam spam? It's gone because they studied the motivations and cured the problem. After several academic papers were published proving that the scammers were effectively shaking money out of the tree, the authorities responded by changing the rules. The motive was profit, the profit was removed, and that specific problem was solved.
  I'm not denying that motivations are difficult to figure out. In this case, I think the primary motive was probably pure stupidity of some sort. Or perhaps impure stupidity mixed with viciousness?
  
  --
  Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
12. Re:What's the motivation? Anonymity? by fafalone · 2018-05-12 16:48 · Score: 1
  
  They also suggested that there was internal knowledge of their network, which I take to mean 'current or former employee', in which case the motive was likely a grievance with the company rather than with bike sharing. Although some bikers are big enough assholes that they could certainly inspire some retribution if they were riding rental bikes. My personal favorites are the ones who yell at me to get out of the way so they can pass on the sidewalk (the law here allows them to ride on the sidewalk but at walking speed and gives pedestrians full right of way).
13. Re:What's the motivation? Anonymity? by AmiMoJo · 2018-05-12 19:03 · Score: 1
  
  Probably just some 4chan kiddie not thinking through the consequences.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 19:12 · Score: 0
  
  Maybe she got offended the company didn't take security seriously?
15. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-12 19:23 · Score: 0
  
  Mindless vandalism? I'm trying to imagine what could motivate such a crime. What sort of grievance could justify attacking a system that lets people borrow bikes?
  Let's see if you get to the answer...
  
  ...maybe the prick did it simply because he could.
  Bingo. And the real prick here is the idiot who didn't secure this database worth a shit. Hackers often validate that you sometimes gotta break shit to get people to fix it.
  
  There are legitimate uses for anonymity. This is NOT one of them.
  There are legitimate ways to describe hacking. This is NOT one of them.
  There are people who understand what anonymity actually means. You are NOT one of them.
16. Re:What's the motivation? Anonymity? by thegarbz · 2018-05-12 21:43 · Score: 1
  
  Getting cut off at an intersection.
17. Re:What's the motivation? Anonymity? by admin7087 · 2018-05-12 23:49 · Score: 1
  
  Deaths caused by terrorist events are also extremely rare, so rare that many people have suggested that inferential statistics is almost useless for predicting them. According to your rationale, it would also make no sense trying to understand terrorist events. Or airline accidents. Or very rare diseases. Or earthquakes - and so forth, you get the point.
  However, the fact is that inferential statistics only works and makes sense if you are able to make at least some reasonable assumptions about an underlying analytical/causal model, otherwise you don't even know which probability distribution may be at play and will get garbage results.You better try to understand what's going on before you even try to make statistical inferences or predictions.
18. Re:What's the motivation? Anonymity? by Anonymous Coward · 2018-05-13 04:00 · Score: 0
  
  What sort of grievance could justify attacking a system that lets people borrow bikes?
  Maybe he sells cars and he felt the bikes were hurting sales?
  Oh, those questions answers it all easily:
  Über did it.
  Don't be ridiculous. This would have to have been done by someone with no sense of right and wrong. Somebody with a mindless desire for profit that doesn't care who he hurts. Oh, wait...
19. Re:What's the motivation? Anonymity? by q_e_t · 2018-05-13 06:17 · Score: 1
  
  It's Denmark.You wouldn't be fired for saying that.
20. Re:What's the motivation? Anonymity? by q_e_t · 2018-05-13 06:28 · Score: 1
  
  I cycle at times, but if there is a cyclist behind me when I'm walking on the pavement I make them wait. Many vulnerable people use the pavements.
21. Re:What's the motivation? Anonymity? by 93+Escort+Wagon · 2018-05-13 06:55 · Score: 1
  
  It was a pro-Euro activist angry about the Kroner.
  
  --
  #DeleteChrome
22. Re:What's the motivation? Anonymity? by f3rret · 2018-05-13 20:16 · Score: 1
  
  Über is illegal in denmark
  
  --
  Admit nothing. Deny Everything. Make Counter-accusations.
Blame Russia... by bogaboga · 2018-05-12 07:48 · Score: 0

I am waiting for that proverbial "blame Russia" rant. Even with no [credible] evidence whatsoever.
Here's the MO; if investigations end up likely to point else where, put out press releases with words like "we know", "likely" and so on. If that fails, simply discredit the investigation itself.
Re:They have an Android tablet attached to the bik by ruddk · 2018-05-12 07:51 · Score: 2

Well, it's Denmark, so I if they weren't made to last in rain, they would have have a very short lifespan. Last year was nothing but rain. This year shows promise, crossing fingers.

--
L'Idiot
ZFS by darkain · 2018-05-12 07:54 · Score: 5, Insightful

Now imagine if this database were to be stored on a ZFS volume with regular snapshots, and those snapshots were sent to other remote machines for backup... The entire database could have been recovered in minutes with just a few simple commands to re-mount the ZFS partition to a given snapshot, restart the database server software, and you're up and running again...
Oh wait, that's right. I'm too old for tech nowadays. There are all these kids fresh out of college using newfangled technology that don't know two shits about information security or data integrity to even give this a thought in the first place. And thus the cycle continues where us old-hats are "over paid" and forced out of work in favor of these new younger generations of "tech wizards"!
1. Re:ZFS by mccalli · 2018-05-12 08:04 · Score: 3, Interesting
  
  Doesn't seem like they lost anything, the way you're describing it. Here's the initial announcement, and here's the update. Doesn't;'t seem like they lost anything in their database.
  
  What seems to have happened is that the hack has managed to erase the client side. Either poison data/commands has erased the tablet they attach to the bike, or the tablet still has data but is now out of sync with their restored backup. That will be why they're talking about going round rebooting the tablets on the bikes - it's the client side that's wrong, ZFS-nothing - it simply wouldn't have helped.
2. Re:ZFS by Anonymous Coward · 2018-05-12 18:04 · Score: 0
  
  Don't bother trying to explain it to that old fogey. His ship sailed long ago without him on it. Ironically, his ignorance is further justification to iceberg the other elderly.
3. Re:ZFS by Anonymous Coward · 2018-05-12 19:26 · Score: 0
  
  Doesn't seem like they lost anything, the way you're describing it. Here's the initial announcement, and here's the update. Doesn't;'t seem like they lost anything in their database.
  What seems to have happened is that the hack has managed to erase the client side. Either poison data/commands has erased the tablet they attach to the bike, or the tablet still has data but is now out of sync with their restored backup. That will be why they're talking about going round rebooting the tablets on the bikes - it's the client side that's wrong, ZFS-nothing - it simply wouldn't have helped.
  You know what else would have helped quite a bit in this scenario? Taking the parents point and learning how to store a valid tablet image under revision control, along with maintaining the capability to push that image out to resolve the "client" problem in an automated fashion.
4. Re:ZFS by Anonymous Coward · 2018-05-12 21:38 · Score: 0
  
  Now, imagine if the whole thing was written in Rust! That would have shown that dirty little cracker!
  *sigh*. People and their hobbyhorses.
5. Re:ZFS by thegarbz · 2018-05-12 21:49 · Score: 1
  
  ZFS volume
  You are actually the worst kind of IT person out there and have basically just fallen into every trap that gives the field a bad reputation.
  - Assumed that this problem is caused by one specific issue.
  - Assumed they don't have this issue already taken care of.
  - Provided a detailed technical solution to a problem you don't know about.
  - Provided a detailed technical solution without considering any of the many alternatives that achieve the same thing your solution proposed to fix.
  You need one of these: https://www.flickr.com/photos/...
  I hate to say it, but if you're getting too old and making way for new blood then the field is better off for it. No doubt you have a wealth of experience and knowledge but that typically comes with the baggage of thinking you know every answer without ever even asking a question.
haxxy haxxy haxx0rz! by Anonymous Coward · 2018-05-12 07:55 · Score: 0

bleepingcomputer's favourite.
But still not worth the read, beauhd.
If the hack was primitive, where is the backup? by guruevi · 2018-05-12 07:56 · Score: 1

Or was the IT department rather primitive as well. In the worst case, a rather primitive deployment like this should lose 15m-1h of data and perhaps another 1-4h of downtime. There are setups that are better with continuous logs and high tech breach detection which would either prevent this or have virtually no downtime.

--
Custom electronics and digital signage for your business: www.evcircuits.com
1. Re:If the hack was primitive, where is the backup? by thegarbz · 2018-05-12 21:53 · Score: 1
  
  In the worst case, a rather primitive deployment like this should lose 15m-1h of data
  Or maybe they lost no data at all and you are just jumping to conclusions about a problem you don't know anything about:
  https://bycyklen.dk/en/news/sa...
  Notice that the problem is fixed almost entirely on the client side?
2. Re:If the hack was primitive, where is the backup? by guruevi · 2018-05-14 01:57 · Score: 1
  
  and deleted the organization's entire database
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Re:They have an Android tablet attached to the bik by glitch! · 2018-05-12 08:06 · Score: 1

This outfit has an Android tablet physically attached to each bicycle.
That's a lot of money there. How about an ESP8266 module and two AA cells? For less than $3, it has CPU, memory, and wifi. Mount it under the seat or wherever convenient. (The ESP12 is small!)
The device could wake up every so often and listen for an open hot spot. Associate with the hot spot and "phone home" with the MAC address of the hot spot. That might be close enough to locate the bike without GPS.
Meanwhile, volunteers could go war-biking with similar devices WITH GPS to make a database linking the MAC addresses to locations.

--
A dingo ate my sig...
Boredom. by Anonymous Coward · 2018-05-12 08:16 · Score: 1

See, boredom is a result of not being challenged (Csikszentmihalyi) and anger. And misdirected talents.
This whole "only boring people get bored" is total nonsense. Anyone who has had to master a musical instrument or sport or science will know that periods of boring monotony are required for mastering these subjects. But there is a GOAL at the end.
Breaking things or breaking into them gives a rush that you can't get without drugs. When you have no goal at the end.
I'm not just making excuses - just explaining.
Maybe the REAL question should be is Why aren't these people being used productively?
Re: If the hack was primitive, where is the backup by Anonymous Coward · 2018-05-12 08:27 · Score: 0

Agreed. My first thought was the hacker was probably a previous disgruntled employee, from the IT dept.
Re:They have an Android tablet attached to the bik by Anonymous Coward · 2018-05-12 08:31 · Score: 1

You have some great ideas there, you should apply and help them bring it to the next level. I'm sure you will be able to find alternatives to the other features that the tablet provides, such as:
- credit card processing
- usage time tracking
- motor assistance settings
- navigation
- locking/unlocking from charging/drop stations
- locking for parking
- reservation
- and probably more
Double-edged taunt. by SeaFox · 2018-05-12 08:55 · Score: 1

Bycyklen described the hack as "rather primitive,"
What does that say about your security, Bycyklen?
Restore from backup? by movdqa · 2018-05-12 10:27 · Score: 1

Do they have a recovery plan?
Get off my lawn. by Kremmy · 2018-05-12 11:28 · Score: 1

What is with you kids and thinking you need to implement a new file system to do your backups?
1. Re:Get off my lawn. by religionofpeas · 2018-05-12 18:31 · Score: 1
  
  A versioning file system is not the same as a backup mechanism.
2. Re:Get off my lawn. by thegarbz · 2018-05-12 21:51 · Score: 1
  
  A versioning file system is not the same as a backup mechanism.
  And yet the OP's ZFS "solution" listed as its great feature: "and those snapshots were sent to other remote machines for backup..."
  Please read entire threads before replying.
Re: They have an Android tablet attached to the bi by Anonymous Coward · 2018-05-12 12:10 · Score: 0

You sure as fuck don't need an Android tablet for all that. A raspberry pi is more than adequate.
protip: by Anonymous Coward · 2018-05-12 14:06 · Score: 0

Don't become dependent upon IoT... as an individual, or a society.
Now imagine if all cars were "always online"... by ffkom · 2018-05-12 18:08 · Score: 1

... and could be hacked remotely such that they simply would not start anymore. But who would be silly enough to propose that cars should be online? ... oh... wait... preparations for that kind of desaster are already ongoing.

They call it "autonomous cars" in their Newspeak, and it actually means "car that is completely dependent on network services".
1. Re:Now imagine if all cars were "always online"... by religionofpeas · 2018-05-12 20:10 · Score: 1
  
  Now image that smart phones are "always online" and could be hacked such they simply wouldn't start anymore. But who would be silly enough to propose that phones should be online?
2. Re:Now imagine if all cars were "always online"... by Anonymous Coward · 2018-05-13 07:02 · Score: 0
  
  I get what you're trying to say but that was an awful example; For starters, smartphones are COMMUNICATIONS DEVICES - Their whole reason for existing is to be on-line in some fashion, otherwise why have them over a PDA or normal mobile?
  Cars are NOT communications devices - They are transport devices. I can't think of any good reason to connect a car's ECU to a publicly accessible network. Maybe the satnav or infotainment system, but not the ECU! There's no compelling reason to update a car ECU's firmware OTA - This is something that should be done during routine servicing where it can be checked.
  Also, smart phones can't, generally, run over or crash into crowds of people if they get hacked.
Re: They have an Android tablet attached to the b by Anonymous Coward · 2018-05-12 19:41 · Score: 0

Doesn't matter. It has to be visible buzzword compliant.
Re:They have an Android tablet attached to the bik by q_e_t · 2018-05-13 06:10 · Score: 1

I doubt what you propose is legal in Denmark.
Re: They have an Android tablet attached to the bi by Anonymous Coward · 2018-05-13 07:26 · Score: 0

since we are re-engineering the bike, how is raspberry going to display the UI to the end user?
Striking a blow against the Man! by DaveV1.0 · 2018-05-15 00:28 · Score: 1

WooHoo! These 1334 haxors are showing the man who is boss! Yeah, think of the damage they did to Man by shutting down this service! Information wants to be FREE!!!!!

Stop being assholes, you fucking pieces of shit.

--
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
primitive by Anonymous Coward · 2018-05-15 05:08 · Score: 0

So they are saying their security is so bad that just a primitive hack fucks them up like that.